AWS IAM

AWS IAM is Amazon’s user management service according to Amazon “enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. ” read more here.

Below I am going to help you set up your first user and get started using AWS. The first thing we need to do is set up an AWS IAM user.

To set up a new AWS IAM user we need to first access IAM the easiest way to do this is to type in IAM into the AWS services search bar.

Entering IAM you will view a few items the first is the sign in link to your AWS console for IAM user. The URL is an auto-generated number but can be can customize whatever you like, as long as it is not taken. Below your sign-in link, you will see your IAM Resources. This is where you customize all of your Users and the access they have in AWS.

Setting up MFA

If you just created your account and you are logged in using your email address you are logged in as the root account. The root account has full access to all services and allows you to do unlimited things. To protect this account we need to fist setup Multi-Factor Authentication or FMA. Click on Activate MFA and follow the easy instructions. You will need a compatible device such and an approved authentication app like google authenticator. Scan the QR code with your app and enter the first code wait for it to expire then enter the second code and press “Activate Virtual MFA”

Once completed you should see the following message. Click finish and now you have MFA.

Setting up a User

To set up user click on the create “Create individual IAM users” from the home page. Then click the “Add user” button.

I am going to add a new user called Guest. Guest has the access type of Programmatic and AWS Managment console. Programmatic is where your program can access it or you are able to log in using the terminal. AWS Managment Console is what we are currently logged in to. Console password is best to set as autogenerated as you will get a secure password. Lastly, you can require a new password on next sign-in.

Groups

Groups have policies that you attach to users. A policy is a document that is attached to a user or group to give them permissions.

I am going to give my guest user Admin access. Type in system-admins in the group name. There are currently 351 default policies so let’s filter it down. Searching for admin yields 15 results. Expanding any of the policies will give you a JSON file to see what the user can access. Here is a sample of JSON file for
AmazonAPIGatewayAdministrator if you want to see more about it.

Click through the remaining windows and you will see the add user page with Access Key ID, Secret Access Key, Password. The Access Key’s are used to access AWS Programmatically a laptop or server. When Loggin in the console you use the Password and your username.

NOTE: It is very important. You will never see this again so it is important to write them down or download the CSV.

Add and remove a user from a group

Click on the group on the left menu and select “Create New Group”.

Follow instructions just like before. After selecting the group click “Add User to Group”. Now Clicking on the new group we can add a user by clicking the add users

Next, we can go back to users and Click on the user themselves. Here you can see what permissions a user has and what policy they have. A wonderful feature is you can give single user permission. For example, let’s say we want guest to only be able to archive files. To do this Click add permissions

search for the permission you want to give in our case it is glacier and then click next.

You can now see that our guest has Glacier read access to allow him to archive data.

Modifying a user’s Credentials.

The second to last tab when selecting users is Security Credentials. Here we can see the status of the account. there is a lot on this page but I want to focus on Access keys. Here we are able to see the Access key for guest. (Remember Access Key is for programmatic only and not the console). By clicking on deactivate the user can no longer log in using programmatic access.

Adding Roles

This is very important when accessing S3 to set up a role. AWS IAM roles are a secure way to grant permissions to entities that you trust. They can be another user account, and applications, a service or a corporate directory. I am going to create a role that allows the user to write to an S3 instance. First, click on Add role. By default, AWS services are selected, from the menu select the role type as EC2. Search for S3 and click on Amazon S3 Full Access. Click continue and add a description and you are all done with an AWS AIM account. (for now)